Chad Tilbury

"The real voyage of discovery consists not in seeing new sights, but in looking with new eyes." - Proust

This favorite quote of Chad Tilbury has proven to be a recurrent theme throughout his career. When Chad attended the U.S. Air Force Academy, his interest was piqued early on by the thrill and challenge of engaging adversaries in new domains. Chad grew up enthralled by spy novels, so defending against real spies with counter-espionage techniques was particularly appealing. A career in computer crime investigations was the perfect fit.
Chad has over 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies. And his case list looks like it's been pulled straight from those spy novels he grew up reading: murder, abduction, espionage, fraud, hacking, intellectual property theft, child exploitation, terrorism, and computer intrusions.

As a Special Agent with the Air Force Office of Special Investigations, Chad served on the national computer intrusion team and helped expand counter-espionage techniques into the digital age. He has led international forensic teams, built forensic departments, and spent over eight years as an incident response consultant and technical director with Mandiant and CrowdStrike.  
In addition, Chad worked as a computer security engineer and forensic lead for a major defense contractor and served as the vice president of worldwide Internet enforcement for the Motion Picture Association of America. In that role, he managed Internet anti-piracy operations for the seven major Hollywood studios in over 60 countries.

"With so many different skills and cultural perspectives on that team, I learned more about the dark underpinnings of the Internet than I ever could have imagined," says Chad.

Today, Chad brings his wealth of experience to his role as a  consultant, where he specializes in incident response, corporate espionage, and computer forensics. Here at SANS, Chad is a senior instructor and co-author for two six-day courses:  FOR500: Windows Forensic Analysis, which focuses on the core skills required to become a certified forensic practitioner, and FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, which teaches sophisticated computer intrusion analysis and advanced threat hunting techniques.

Chad's experience brings immeasurable depth to his classes. He focuses not only on tools and techniques but also on understanding how those artifacts can be used to prove or disprove questions students are asked to investigate in their daily jobs. As Chad says, "Forensics is both an art and a science, and I find hearing about real-world applications provides new perspectives and can help unlock a student's ability to think unconventionally."  

Chad keeps his class goals simple: teach and lead discussions on the most important topics and make sure students have as much time as possible to work on the exercises. "I'm a big believer in hands-on learning," he says, "and we work hard to ensure the exercises in our classes are as realistic as possible. When students put all the pieces of a forensic investigation together themselves, it leads to those 'aha' moments that are so valuable."
The methodologies Chad teaches in his courses are the same ones he has used successfully on countless examinations. "Our exercises are months in the making and provide realistic, real-world evidence samples on which to practice," says Chad. "I have had numerous students report going back to their teams, blowing them away with a new technique, and promptly becoming the trainer themselves."

One of Chad's most memorable experiences in the classroom brought that immediacy of techniques to a whole new level.

"I was teaching some of my latest research on browser artifacts, recently added to the FOR500 class. Research showed that a specific browser database could be missing a day or more of information if not properly handled. There happened to be a law enforcement officer in class who was investigating a murder, and in his examination of the suspect's computer he had noted missing data during a critical 24-hour period. From our class discussion, the officer now had a tool and technique to recover the missing data in his case. Not surprisingly, he left class early!"

In addition to being a graduate of the U.S. Air Force Academy, Chad holds B.S. and M.S. degrees in computer science, as well as GCFA, GCIH, GREM, and ENCE certifications.

In his free time, Chad loves to travel and takes full advantage of the unique destinations his career takes him. He spends much of his time at home mountain biking, skiing, snowboarding, and mountaineering. Chad recently took a ski mountaineering trip to Antarctica, about as far away from a Wi-Fi signal as you can get!

Qualifications Summary

  • Over 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies on a wide variety of cases
  • Senior instructor and course co-author for SANS Forensics 500: Windows Forensic Analysis and SANS Forensics 508: Advanced Digital Forensics, Incident Response, and Threat Hunting

Get to Know Chad Tilbury

Here is What Students Say About Chad Tilbury:

"Chad Tilbury is hands down the best instructor that I ever had in my 20 years of military service. Excellent job. Very relevant and up-to-date. An industry leader in this field." - Dannie Walters, U.S. Army

"Chad's real-world examples are a key part of the training. It really helps to have a knowledgeable instructor who currently works in the industry." - Roger Szulc, MDA

"I had the immense pleasure of learning from Chad during the SANS Computer Forensics and Investigation course. Chad's ability to break down complex, technically challenging topics and teach them in an understandable manner is second to none. He has helped countless numbers of people including myself gain the GCFA certificate and I wholeheartedly believe he is a true asset to any organization." - Ali Emirlioglu, Senior Security Operations Analyst at Datacom TSS

Here is a SANS Summit presentation by Chad Tilbury: